Yubikey certification location

Eskobar
Contributor

I have paired my Yubikey with my mac. Pin has replaced my system password.

I want to check the certificate expiry date in Jamf Inventory. I do not see the concerned certificate in Jamf inventory/computer/certificates !! I do not see the Yubikey certificate in my keychain either !!

Any idea where the cert is stored ? How make it visible in Jamf ?

9 REPLIES 9

Jason33
Contributor III

Use something like Smart Card Utility from the App Store to see the certificate(s) on the Yubikey, it will also show you when they expire.  I had to obtain 2 of the certs listed from our Cyber team to push to devices via a Config Profile, and I do see those in the inventory report for my machine in Certificates.

@Jason33 

Smart Card Utility is paid app, isn't ? I haven't got exactly what you did to display yubikey cert info in Jamf inventory

boberito
Valued Contributor

You wont be able to see any of the yubikey information in jamf unless you build some sort of EA to read the certificate. The certs are on the yubikey, not the device. They're only available when you have the yubikey plugged in. And like @Jason33 said, it requires some tool like Smart Card Utility.

@boberito 

I can ran these commands in terminal with correct output.

Capture d’écran 2022-08-11 à 01.02.30.png

However, am not able to translate this in valid EA, any idea ?

Capture d’écran 2022-08-11 à 01.51.36.png

This EA is not working. What have is missed?

Eskobar
Contributor

Capture d’écran 2022-08-11 à 02.10.41.png

 this works in terminal as sh file not as EA!

mknation
New Contributor II

@Eskobar 
I am setting up Yubikeys in my environment. Have you been able to configure the Yubikey and deploy the Cert to another machine? 

Eskobar
Contributor

Hi @mknation 

You can use AD CS Connector to get cert from MMC to the key ( not validated  but should work).

We are using virtual Cirix access to get the cert (manual steps for user that requires pin/login pwd).

---------

Big Big Issue:

How can you help user to login to his session if his smartcard is blocked and he forgot his PIN code? !!!

Yubico has created Yubico mini driver for windows that can detect if card is locked and will prompt user for PUK. This tools is not created for mac side !!!

What are you planning for that scenario ?

mknation
New Contributor II

Hi @Eskobar 

We plan on using Jamf connect/ have the user come into the office if they forgot their pin code. 

 

In your environment, do you domain join the Macs? I don't want to join it to the domain, but I was wondering if you did it? 

 

R_C
Contributor

@Eskobar I got the EA Working.

 

Use the following installer and the following EA:

https://github.com/Yubico/yubikey-manager/releases
Current Version at time of this message: 
https://github.com/Yubico/yubikey-manager/releases/download/5.0.1/yubikey-manager-5.0.1-mac.pkg

 

 

#!/bin/sh
if [ -e /usr/local/ykman/ykman ]
then 
	Serials=$(/usr/local/ykman/ykman piv info)
  	echo "<result>$Serials</result>"
else
  	echo "<result>NotInstalled</result>"
fi